As mentioned before, I’ve started working on dbaSecurityScan, a PowerShell module for tracking changes to a databases security model and bring the database back in to line.
Making the most of not being able to leave the house for very long I’ve been cracking along on getting the basics in place. Unlike a PowerShell module like dbatools, this one doesn’t break down nicely into small lumps so it’s likely that new features will be added in big lumps until we hit a critical mass.
So, I’ve just pushed up a nice big change that shows some of the core features working properly. In the current version we have:
- Creating a database security config from an existing database for the following security principals
- Users
- Objects
- Roles
- Schemas
- Test the database security config against a database
- Take the test results and generate a list of actions that need to be undertaken to bring the database back inline
- Run a ‘WhatIf ‘ run of the fixes to generate a list of actions to be undertaken
- Apply the fixes to bring a database back in line, with a choice of running all actions, just those that add/grant security measures or just those that drop/revoke security measures
Some code to show how those features currently work:
# This is based on the module state on 18th April 2020, it will have moved on since then! | |
Import-module dbaSecurityScan | |
# Create config and test against a new database | |
$config = New-DssConfig -SqlInstance server1\sql2017 -Database db1 | |
$config | ConvertTo-Json -Depth 5 | Out-File \\file\store\db1-SecurityConfig.json | |
# time passes and we want to check for security drift | |
# hydrate the config back into an object | |
$config = ConvertFrom-Json -InputObject (Get-Content \\file\store\db1-SecurityConfig.json -raw) | |
# Test the database against the config and vice versa | |
# This will run all the tests and store the results of pass/fail in $testresult. | |
$testResults = Invoke-DssTest -SqlInstance server1\sql2017 -Database db1 -Config $config | |
# If you don't want to see all of the Pester output as well, then you can | |
$testResults = Invoke-DssTest -SqlInstance server1\sql2017 -Database db1 -Config $config -Quiet | |
# Now we can use the results to bring the database back to security baseline | |
# Let's first sanity check any fixes, -OutputOnly will just output the intended actions and not apply any. | |
$fixResults = Reset-DssSecurity -SqlInstance server1\sql2017 -Database db1 -TestResult $testResults -OutputOnly | |
# Once you've approved the changes, then can be applied like so: | |
$fixResults = Reset-DssSecurity -SqlInstance server1\sql2017 -Database db1 -TestResult $testResults | |
On the to do list for the next couple of weeks of lockdown are:
- Add fixing functions for roles and objects
- Add Pipeline support
- Add better comment based help
- Allow comparison of config documents
Please get in touch if you’ve got any ideas for features. If you want to lend a hand then I’m happy to take Pull Request over at https://dbasecurityscan.io/.
Please also report any bugs/issues over on github as well.
Leave a Reply